Upload
sheldon-mccarthy
View
1.342
Download
0
Embed Size (px)
Citation preview
Data Governance starts with planning; • Metadata Management• Master Data Management• Data Quality Management• Data Privacy & Security
Enterprise Data Governance for Financial Institutions
What is Data Governance?
Ref. http://searchdatamanagement.techtarget.com/definition/data-governance
Is what FIs tracks in spreadsheets today.
Uses MDM technology to enhance FI data quality and provide metrics on data governance programs.
Defines FI standards for data and who will be accountable.
Assigns a security classification type to all structured and unstructured data within the Financial Institution (FI).
Benefits of Data Governance• Adopting a Data Governance strategy can help Financial
Institutions protect sensitive information from attack or misuse and also helps the organization use its data more effectively.
• Good Data Governance practices and data security classification help to protect against and limit the risks of a data breach, data leakage or human misuse of data.
• By having a Data Governance program, organizations can establish data storage lives and destroy old data to reduce data storage and maintenance costs. Providing a small boost in ROI of Data Warehousing & Business Intelligence Programs.
Basic
Immature policies and procedures
Lack of training and awareness
Limited technology
Standardized
Established policiesand procedures
Formal training and awareness
Minimal technology
Rationalized
Process andprocedureImprovement
Formal training andcompliance metrics
Reduced reliance on manual controls
Dynamic
Process transformation and more integrated compliance efforts
Formal training andcompliance metrics
Fully automated and integrated controlsmanaged by IT
Data Governance Maturity Model
Resource & TechnologyInvestments
Time
Data Governance Strategic Objectives• Produces information that is easily accessible, standardized,
and sourced from a single place.• Produces information that can be used to make and support
operational and strategic business decisions.• Ensures data is captured, mapped, stored, managed,
retained and archived in accordance to FFIEC compliance regulations.
INFORMATION DELIVERYInformation Management of Enterprise Reporting Content
• Assists in dismantling business systems that are designed or built with architectural dependencies on other applications.
• Consolidation of business application and reporting systems.
SIMPLIFY SYSTEMSDeprecation of Ad-hoc Legacy
Business Systems
• Supports the deployment of new applications by standardizing key business terms to enable data conversion and configuration of application integration points.
ENABLING CAPABILITYEnabling the Deployment of New
Business Applications
• Provide quality support services that add value to FI reporting data stakeholders and business users.
• Maintains safety and soundness of all the data used and shared by the Financial Institution.
ONGOING OPERATIONSMaintaining business functions that maximize daily operations
Metadata ManagementSpecifies the basic components of data into information that can be re-used to improve business operations and processes, including:
• Design & control of Data Dictionary• Identifying Data Stewards & Data Owners• Retrieval of data from databases• Design of information processing systems• Design of EDI-messages• Maintenance of items in a metadata repository
Metadata Repository (MDR)
• A Metadata Repository is designed to capture the “basic components” or the semantics of data, independent of any application or subject matter area.
• MDR’s can reduce the time and costs of defining and approving the semantics of data by re-using basic components that have already been approved by our data stewards.
MDR Registration Model
2
6
3
41
5
7
1) Project submits a term to MDR for registration
2) Project team notifies Registrar submitted item is ready for certification
3) The submitted item is routed to Data Stewards
4) Data Stewards work with the project teams to define terms and definitions
5) Term is pending approval6) Term is approved by the
EDM voting members7) Term is certified for use in
the MDR registry and updated in the FCBT WIKI.
A Registration Process Model can be viewed here.
MDR Registration Process
Classification of Metadata AttributesAttribute Definition Occurrence Required Metadata
Term Name The MDM approved term name. One per data element Yes
Business Definition The MDM approved definition One per data element Yes
Valid Values Examples of data element, amount, date, selection list or other
If applicable Yes, If applicable
Standardized Formula
Calculation used to derive a data element metric or amount
One per data element Yes, If applicable
Source Reference The system the data element originates from Can be multiple systems of origin Yes, used to determine ownership
Data Owner The decision contact for data quality and data privacy Could be more than one per data element
Yes
Data Steward Definition contact. Appointee of the business owner. Could be more than one per data element
Yes
Submission Contact
Appointee of the project team One per data element Yes
Creation Date Date a data element was submitted One per data element Yes
Last Change Date Shows when a data element was last updated One per data element Yes
The complete Metadata Classification Schema can be viewed here.
Master Data ManagementBrings together the:• Business Rules for Data Quality
• Procedures for Metadata Management
• IT Roles & Responsibilities
• Progress Tracking & Reporting
• Data Privacy Classifications for all the
data within the organization
• Auditable Time Stamps & User IDs
Benefits of MDM
Master Data Management (MDM) is a methodology for researching and implementing controls and business rules around your data.
The many benefits to implementing Master Data Management include;
- Preventing critical errors in data quality- Preventing data loss, breach and negligence - Improve efficiency and availability of information
needed for business decision making
Challenges of Implementing MDM
• Lack of centralization• Data misunderstandings• Lack of defined metadata attributes• Poor data quality rules and guidelines• Other priorities• Lack of training and awareness• No clear definition of success
Master Data Management Maturity
No MDM
Metadata Schema and Mgmt. Plan
Stewardship and Project
Team Mgmt. Model
Centralized Hub
Processing of all
application database
data
Business Rules for
Data Quality & Policy Support
Data Privacy & Security
Processing Maturity
Time
INVEST
MDM Capabilities and Enablers
Key Business Capabilities
• Well defined, documented, and enforced policies and processes for governing master data and data quality
• Cross-functional teams of business stakeholders
• Well documented, regularly reviewed and updated operational procedures
Key Technology Enablers
• Established metadata schema and metadata repository
• Data or information consistency, migration, quality, and transformation tools (ETL)
• IT enabled access controls, process management, and security solutions
Solutions for MDM Life CycleStrategy
• MDM Roadmap
• Program Development
• Readiness Assessment
• Data Quality / Stewardship Programs
Planning
• Project Planning
• Tool Assessment
• Architecture Design
• Success Metrics & Reporting
Implementation
• Requirements Workshops
• MDM Design• MDM Process• Stewardship
Process• Data Quality
Support
• Policies & Procedures
• SLA Management
• MDM Training• Change
Management
MDM Maturity Accelerators
• MDM Methodology• Project Plans
• Architecture Frameworks• Best Practice Techniques
• Training Curriculum• New Technology Tools
Data Quality Management
Data Quality Management is the process of establishing roles & responsibilities and the business rules that govern data by bringing the Business and IT to work together.
Their task is two-fold:- to address the problems that already exist and to prevent the potential ones from occurring.
Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/
Data Quality and Data Governance: The Basics
• Business Rules– Enterprise Architecture– Naming and Identification Principles– Formulation of Data Definitions– Data Definition Process
• (see Data Registration Model)
• Roles & Responsibilities– Business & IT Subject Matter Experts (SMEs)
Business RulesNaming and Identification Principles
Each administered item shall have a unique data identifier within the metadata register. (ex: ID_KEY)
A naming convention shall cover all the following aspects;
a) the scope of the naming convention, e.g. established industry name
b) the authority that establishes namesc) semantic rules governing the source and content of terms
used in a named) syntactic rules covering required term order
Business RulesFormulation of Data Definitions
A data definition should:a) be stated in the singularb) state the concept as a descriptive phrase or sentence(s)c) contain only commonly understood abbreviationsd) be expressed without embedding rationale, functional
usage, or procedural informatione) use the same terminology and consistent logical
structure for related definitions
Roles & ResponsibilitiesData Governance Council – comprises of an Information Management Head and Data Stewards from various units.
Information Management Head – is the one who is accountable to the Governance Council on all aspects of data quality. This role would typically be fulfilled by the CIO.
Data Stewards - are the unit heads who lay down the rules & policies to be adhered to by rest of the team. This role would usually be fulfilled by a Program Manager.
Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/
Data Custodians – are responsible for the safe storage & maintenance of data within the technical environment. DBA’s would normally be the data custodians in a firm.
Business Analysts – are the ones who convey the data quality requirements to the data analysts.
Data Analysts – are those who would reflect the requirements into the model before handing it over to the development team.
Internal Audit – reviews procedures to determine how well we did.
Data Privacy & Security Management
Financial institutions should control and protect access to paper, film and computer-based media to avoid loss or damage. Institutions should;• Establish and ensure compliance with policies for
handling and storing information,• Ensure safe and secure disposal of sensitive
media, and• Secure information in transit or transmission to
third parties.
http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/data-security.aspx
FFIEC Action Summary
Data Privacy and Security Threats
Data Privacy & Security Challenges
• Information Security– Organizations need to worry about evolving criminal enterprises, but
they also need to worry about small storage media devices that can easily be lost or stolen.
– The financial and reputational costs that data breaches can have on an organization is significant.
• Information Privacy– The sensitive information involved in data breaches, and the potential
for an increase in identity theft cases has consumers thinking twice about their personal information being held by organizations.
• A Complex Regulatory Landscape – Stop security threats and protect consumers’ personal information – Spread awareness of best practices and promote self-regulation
Ref.http://tfs.sharepoint.nterprise.net/sites/Enterprise%20Data%20Mgmt/Project%20Management/EDM%20Presentations/Data%20Governance%20Research%20Files/Guide_to_Data_Governance_Part4_A_Capability_Maturity_Model_whitepaper.pdf
Data Governance Privacy & Compliance Framework
People• Committed and engaged executive leadership• Trained, aware and accountable employees
Process• Structured, repeatable, and adaptable process• Data Classification & Data Stewardship
Technology• Secure infrastructure that protects information• Auditing and Reporting of access controls
Data Governance, Risk Management, and Policy Compliance
• Governance ensures that the business focuses on core activities, clarifies who has the authority to make decisions, and addresses how performance will be evaluated.
• Risk Management is a systematic process for identifying, analyzing, evaluating, remedying, and monitoring risk.
• Compliance refers to actions that ensure behavior that complies with established rules as well as the provision of tools to verify that compliance.
Data Governance Policies
• Data Stewardship (authority) Policy
• Data Classification Policy– Public Information– Internal Use Only– Restricted Data– Confidential Data
Data Privacy Risk Management Process
Establish goals
Identify (model) threats
Analyze risks
Determine treatment
Evaluate compliance
Diagramming
Threat Enumeration
1
Data loss/leak prevention solutions are designed to detect potential data breach incidents in a timely manner and prevent them by monitoring data while in-use, in-motion and at-rest.
A data leakage incident is when, sensitive data is disclosed to unauthorized personnel by malicious intent or human mistake.
DLP (Data Loss Prevention) Software
INTERNET
DLP Suite
DLP Technology Domains
• Safeguard against malware and intrusions• Protect systems from evolving threats
Secure Information
• Protect sensitive data from unauthorized access or use• Provide management controls for identity, access , and provisioning
Identity and Access Control
• Protect sensitive data in structured databases• Protect sensitive data in unstructured documents, messages, and records• Automate data classification• Protect data in motion
Information Protection
• Monitor to verify integrity of systems and data• Monitor to verify compliance with policies
Auditing and Reporting
Click logos to view References